Google’s $22.5 million FTC penalty is not enough: Here’s why

The Wall Street Journal (subscription required) reports that Internet giant Google is on the verge of agreeing to a $22.5 million settlement with the FTC to put to rest charges that it violated iOS users’ privacy by intentionally bypassing the built-in privacy controls in Apple’s Safari Web browser so Google could track their browsing habits. If the settlement lays out as reported, it would represent the single largest penalty ever assessed against a single company by the Federal Trade Commission. Even though $22.5 million barely represents half a day’s income to Google, it’s probably not a achievement Google will memorialize with a bronze plaque outside its Mountain View headquarters.

This isn’t the first time Google has run afoul of the FTC over user privacy concerns. What’s the basis of the current case and how does it compare to Google’s privacy record with U.S. regulators? And does Google even stand out amongst tech companies taken to task by the FTC over privacy issues?

Google, Safari, and the FTC

The current case being investigated by the FTC surrounds Apple’s Safari Web browser, both in iOS devices like the iPhone and iPad as well as Apple’s desktop Mac OS X operating system. Since Safari debuted as a desktop browser all the way back in 2003, it has had a default setting to block third party cookies — it also featured a “privacy reset” option for clearing cookies and other browser settings. Safari 2.0 (from 2005) was the first to enable a “private browsing” mode — many ridiculed it as a way for Mac user to surf porn sites, but it also offered effective protection against first- and third-party cookies as well as being tracked by (many still-nascent) advertising networks.

As Google became a major force in online advertising — in part through acquisitions like Doubeclick and AdMob — Google wanted a way to serve personalized ad content and things like its “+1” buttons to signed-in Google users. It did so using a post-back mechanism that enabled it to set cookies in the Safari browser even if the browser was set to disallow third-party cookies. (Stanford grad student Jonathan Mayer analyzed technical details of the mechanism.) One could argue that Google was only able to do this because of a flaw in Safari, but Google did more with the technique than just determine if users were signed in to Google and had agreed to receive personalized advertising: the technique also let Google install tracking cookies. So, even if users were blocking third party cookies in Safari (the default) and were not signed in to Google, Google could still track their actions through not just Google’s own sites, but any sites that carried Google advertising or services. Given the near-ubiquity of things like YouTube and Google’s AdSense advertising services, that’s a major chunk of the Internet.

Google has maintained it did nothing wrong, and began deleting the tracking cookies as soon as it became aware they were being set. It characterized the bypass technique as “known Safari functionality,” said it was deleting any data it gathered as a result of the cookies and that no harm was done to consumers. However, Google did collect information about all Safari users it encountered, regardless of whether they had a Google account, were signed in to it, or had agreed to accept social advertising; however, there is no indication Google shared that information with other companies. Nonetheless, Google may well have profited from knowing more about Safari users’ browsing habits than its competitors.

The FTC isn’t alone investigating these issues: several states’ attorneys general have launched their own probes, and European regulators are also investigating Google’s bypassing of Safari’s built-in privacy tools.

Buzzkill

The Safari situation puts Google in hot water because the company had previously entered into a 20-year consent decree in 2011 for “deceptive privacy practices” surrounding the launch of Google Buzz. In that case, Google escaped having to pay any fines, but it did agree to implement a comprehensive privacy program, and subject itself to regular independent privacy audits for 20 years.

Google Buzz, for folks who don’t recall, was Google’s initial ill-fated effort to leverage its widely used Gmail service into a social networking platform. To launch the service, Google enrolled Gmail users in aspects of Google Buzz without their consent, which resulted in details of users’ contacts and correspondents automatically being disclosed to other users — in some cases even if they declined to try out Google Buzz. By the end of the year, Google had killed off Google Buzz and switched its focus to Google+, but the damage was done: Google had not only flubbed its first serious move into social networking, it had brought down 20 years of federal scrutiny about its privacy practices too.

As a result of the Buzz fiasco, Google can be liable for up to $16,000 per day that it violates its consent agreement with the FTC. If the $22.5 million figure cited by the Wall Street Journal is accurate and the $16,000-per-day fine is the basis for the penalty, that could mean Google would essentially admit it was tracking using Safari users without their consent for the better part of four years.

What about everyone else?

A number of federal agencies monitor aspects of many Internet companies’ businesses. Google doesn’t just tangle with the FTC. Just a few months ago the Federal Communications Commission fined Google a paltry $25,000 for collecting personal information with its Street View vehicles as it cruised by Wi-Fi hotspots. However, although it’s a small agency, the Federal Trade Commission is primarily responsible for consumer protection. How have other Internet giants fared with the FTC?

Not so well, as it turns out. Perhaps the most public settlement with the FTC over privacy issues was from social networking giant Facebook: the FTC accused Facebook of failing to keep a number of privacy-related promises it made to users, including making formerly-private information public, sharing data with third parties without user consent, keeping data around and accessible even after accounts were deleted, and falsely claiming it complied with the U.S.-EU Safe Harbor Framework for data transfer. For all that and more, however, Facebook paid no penalties — but it did agree to the same 20 years of independent, third-party privacy audits later applied to Google.

Social networking aggregator Spokeo also had to settle with the FTC — and it didn’t get off for free, agreeing to pay $800,000 to settle charges it violated the Fair Credit Reporting Act as well as “astroturfing” by posting false endorsements of its services to blogs and Web sites. However, unlike Google and Facebook, Spokeo isn’t a primarily consumer-facing service. Rather, it collects and aggregates information about individuals from social networking sites and the Internet, bundles it up, and sells it to recruiters, background screeners, and human resources departments — if you’ve ever had a foul-mouthed tweet or drunken Facebook photo come back to haunt you during a job interview, Spokeo may be why. The FTC alleged, among other things, that Spokeo failed to comply with requirements governing consumer reporting agencies.

What about social networking sites? Believe it or not, in May MySpace had to work a settlement with the FTC for sharing personal information with third parties without user consent. Sound similar to Facebook? It does: and, like Facebook, MySpace didn’t have to pay a penny, but did have to agree to having its privacy practices audited for the next 20 years.

Twitter hasn’t emerged unscathed either — although the circumstances are different. Twitter agreed to have its security and privacy practices audited for 20 years as a result of two security breaches in January and May of 2009 during which attackers were able to get administrative access to Twitter — including accessing private information and the ability to generate phony tweets. In these instances, Twitter didn’t promise one thing and do another — it promised users privacy and wound up getting hacked. Something similar happened with game site Rock You, from which hackers managed to glean some 32 million email addresses during an attack. However, Rock You also wound up agreeing to pay $250,000 in penalties because it also collected personal information from nearly 180,000 children without their parents’ consent, in violation of the Child Online Privacy Protection Act (COPPA), which bars the collection or sharing of children’s information online without their parents’ consent.

COPPA has been at the core of settlements the FTC has reached with many technology companies, including Broken Thumbs Apps, Skidekids, and Xanga.com. The Xanga case (from 2006) involved the highest fine ever levied for a COPPA violation: $1 million. Xanga knowingly collecting and disclosing information about 1.7 million children age 13 and under without parents’ consent over a period of five years.

Even Microsoft has run afoul of COPPA. Back in 2002 the company reached a settlement with the FTC that its Passport single sign-in and wallet service was designed to let users easily and safely make purchased from participating merchants, and even set up accounts for kids that limited collection of personal information by participating sites; among other things, Microsoft was found to have misrepresented what information was shared with third parties about children.

Breaking the pattern

Leaving aside issues of the Child Online Privacy Protection Act, the Federal Trade Commission is empowered under the FTC Act. Although it’s been amended since, the act dates all the way back to 1914 and doesn’t include any language about privacy practices of business. The FTC’s mandate essentially derives from the Act’s prohibition of deceptive and unfair trade practices. The FTC’s settlements with companies like Microsoft, Google, Twitter, and Facebook stem from interpretation of that act. A company could potentially take the FTC to court and argue the FTC’s interpretation over-reach the authority granted by the act.

It may seem ludicrous for a company to try to take the federal government to court and argue it has no authority to regulate how it conducts business — but that’s exactly what Comcast did with the FCC over its Internet regulatory framework, essentially gutting the idea of Net neutrality. Although it’s rare for firms to challenge the FTC’s interpretation of its authority, the rapidly evolving Internet and mobile industries might be the place where it happens.

Why? Because companies like Facebook and Google have now established a pattern where they unilaterally expand their collection and usage of consumer data and violate promises they made to their users — and see very little downside. Both Google and Facebook have rolled out new services that exposed information about their users without first obtaining consent — and, to date, neither have paid a penny in penalties, or even admitted to any wrongdoing. Google and Facebook are both companies that don’t charge directly for most of their services: and they’re hardly alone in that regard. The value these companies derive from their users stems largely from the personal and profile information they’re able to collect about their lives and interest and, in turn, sell to advertisers. As the saying goes: If you’re not paying for it, you are the product, not the customer.

The FTC’s settlements to date with the likes of Google, Facebook, and even Twitter (which resulted from a data breach) are consistently on the side of transparency:

Companies need to get affirmative consent from user before making retroactive, adverse changes to privacy policies;

Companies must disclose important changes in their privacy practices;

Companies must be straightforward when soliciting consent to new uses of data — weasel words and less-than-complete disclosure won’t do.

Subjecting Internet companies as much as 20 years of privacy audits might seem like major enforcement move — and now Google, Twitter, and Facebook are all now under such requirements. However, Google looks like it will be the first company that will have to come to terms with violating a privacy settlement with the FTC. And what does that look like it’s going to cost them?

Half a day’s pay.

At that rate, it’s hard to believe any company trying to compete with Google or Facebook will consider dodgy privacy practices anything more than a minor cost of doing business.